UserStorage SPI and IdP: not finding users

I’m trying to retrofit a 25 year old system with OIDC, and I’ve run into a small snag.

Our initial approach is to simply create a readonly UserStorage SPI. This worked fine in our initial tests, although we need to do some additional work to make sure the app server has all the state its expecting.

No I need to integrate with an IdP. In our current use case (of integrating with a 25 year old system) we have complete control over the users. We’re connecting two medical systems so all the users are controlled. We’re expecting (for now) to manually create the users on our system with usernames that match what we get back from the IdP. As a result, I want to automatically link the users from the IdP with the the user in our system.

I’ve created first brokered flow that includes only “Automatically Link Brokered Account” set to required.

I run the keycloak server with remote debugging enabled and drop breakpoints in my user SPI. If I login with a username and password, the breakpoints I would expect trigger.

But if I login with the IDP I don’t get any of my code triggered (I also have INFO statements at the start of each method so I can see its triggered even if the debug is not enabled), and I end up with an “invalid username and password” error at the end.

What do I need to do to get keycloak to look up users from my SPI?